2014-09-08 - FILELESS INFECTION BY ANGLER EK FROM 5.196.36.99 - KATHARYN.TAXSAVINGSNETWORK.COM:8080

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

NOTE: Angler EK payload didn't save its payload to the hard drive; however follow-up malware was dropped on the local_host.  This likely came from the encrypted traffic to nigopgreta.in (188.165.251.195) and/or nvlyffua.com (217.23.13.42).  Those two IP addresses returned the most bytes of traffic to the infected local_host (192.168.204.149).

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-08-Angler-EK-flash-exploit.swf
File size:  75.3 KB ( 77068 bytes )
MD5 hash:  67ca9a31f220bc7b68f203c07ad668b9
Detection ratio:  1 / 54
First submission:  2014-09-08 14:58:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4/analysis/

 

JAVA EXPLOIT

File name:  2014-09-08-Angler-EK-java-exploit.jar
File size:  28.1 KB ( 28768 bytes )
MD5 hash:  b7b59e710aca39073c67cda53871111e
Detection ratio:  16 / 55
First submission:  2014-09-04 08:25:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c6a5c9154b088c1ae8ccaeb7b987ae560a5325ab389f994619c92bc71610f17b/analysis/

 

MALWARE PAYLOAD (NOT SAVED TO A FILE):

File name:  2014-09-08-Angler-EK-malware-payload.dll
File size:  156.3 KB ( 160006 bytes )
MD5 hash:  26a77e34a6925565a42703ffd2c328b5
Detection ratio:  6 / 55
First submission:  2014-09-08 15:15:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3e713d79effd87ea5e5fe676571ebf467a6e0fca1f24177b88e360c1ede9ebca/analysis/


See screenshots section for the steps I took to extract this.

 

DROPPED MALWARE 1 OF 2:

File name:  2014-09-08-Angler-EK-dropped-malware-01.exe
File size:  107.0 KB ( 109568 bytes )
MD5 hash:  d243dc90453635d3545932f8b4122091
Detection ratio:  3 / 41
First submission:  2014-09-08 14:59:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c4e736d62f0909741370e1b16f72718b97b2e5d227c7f6cc63212ac5097fc46b/analysis/

 

DROPPED MALWARE 2 OF 2:

File name:  2014-09-08-Angler-EK-dropped-malware-02.exe
File size:  2014-09-08 14:59:40 UTC
MD5 hash:  81fbc96d2b8304a5ba6f861126acdc89
Detection ratio:  8 / 41
First submission:  416.0 KB ( 425955 bytes )
VirusTotal link:  https://www.virustotal.com/en/file/d8cff201e8af50f63b41b8ab95914ed2a4e9a68e75ca5b63efbb8469b20936d0/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS

Find one of the TCP streams with an obfuscated malware payload, which you can identify by the repeated strings--in this case: wT6QtySY.  See Kafeine's writeup for the XOR-strings Angler EK has been using.

 

XOR-ing the extracted file with wT6QtySY gives you a single file with shellcode followed by a DLL.  NOTE: Angler EK has used more than a simple XOR string in the past, so this isn't a full-proof method to decrypt the binary.

 

I used a hex editor to remove the shellcode portion, and save the DLL.  This appears to have worked--the file was identified by 6 out of 55 vendors on Virust Total.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.